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Author's Abstract 

We present a theorem for deriving properties of a concurrent program by reasoning 
about a simpler, coarser-grained version. The theorem generalizes a result that 
Lipton proved for partial correctness and deadlock-freedom. Our theorem applies 
to all safety properties. 



v 



Contents 

1 Introduction 1 

2 Lipton's Theorem 2 

3 A General Reduction Theorem 5 

3.1 Definitions 5 

3.1.1 Programs 5 

3.1.2 Histories 5 

3.1.3 Commutativity 6 

3.1.4 Predicates and Safety Properties 6 

3.1.5 Operations 7 

3.1.6 Sequential Composition 8 

3.1.7 Possible Termination 8 

3.2 The Reduction Theorem and Corollaries 9 

3.2.1 Reduction 9 

3.2.2 The Reduction Theorem and a Corollary 10 

3.2.3 Deriving Lipton's Theorem 12 

3.3 An Example 15 

4 Constraints 17 

5 Discussion 20 
Appendix: Proof of the Reduction Theorem 20 
References 29 



vi 



1 Introduction 



To specify a concurrent program, one must specify what its atomic actions are. If 
x :— x + 1 is executed as a single atomic action, then 

cobegin x :— x + lDx:— x + 1 coend 

increments x by 2; if each read and store of x is a separate atomic action, then it 
increments x by 1 or 2. 

We specify that a statement is executed as a single atomic action by enclosing it 
in angle brackets. For example, (x :— x + 1 ) is a statement that is executed as 
one atomic action. A statement x := x + 1 in which each read and store of x is a 
separate atomic action can be written as 

{t :=x)\ (t :=t + 1); (x :=t) 

where t is a new variable that is local to the process and represents an "accumulator". 

Representing a program using fewer atomic actions simplifies reasoning about it. 
One way to reduce the number of atomic actions in a program is to combine two or 
more atomic actions into a single larger one. This is often done by pretending that 
a statement is atomic if its execution contains at most one access (read or write) of 
a shared variable, tacitly applying what we will call the single-action rule. For the 
example above, applying this rule would allow 

(t : = x }; (t := t + 1 ) 

to be combined into the single atomic action {t :— x + 1 ). 

The single-action rule cannot always be applied. For example, it would imply that 
any operation can be considered atomic in a single-process program, because no 
variable is shared. This would mean that a property of the program 

(y:=x + l);{x:=y) (1) 

could be established by proving it for the program 

(y:=x + l;x:=y) (2) 

This reasoning is wrong. The following property holds for the second program but 
not the first. 
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If the program is started in a state with x — y, then x = y holds in all 
states reached during execution. 

Execution of (1) reaches an intermediate state in which x ^ y — a state that does 
not occur when executing (2). 

In this paper, we derive a general rule for combining atomic actions. It includes a 
correct version of the single-action rule as a corollary. Our rule applies only to safety 
properties, which include partial correctness, mutual exclusion, and deadlock- 
freedom, but not to liveness properties, such as termination and starvation-freedom. 
A safety property asserts that "something bad does not happen", so if it is violated, 
then it is violated by a finite portion of a (possibly infinite) execution of the program. 

The idea of combining atomic actions is probably as old as the study of concurrent 
algorithms. To our knowledge, the single-action rule was first mentioned in print 
by Owicki and Gries [10], where it was informally claimed for partial correctness 
properties. In [9], Lipton formally proved a closely related theorem for partial 
correctness and deadlock-freedom. However, Lipton was primarily concerned with 
semaphore operations, and it was not widely recognized that the single-action rule 
is a corollary of his results. Doeppner [4] extended Lipton's partial-correctness 
result to a somewhat larger class of safety properties. In this paper, we extend 
Lipton's and Doeppner's results to a more general class of safety properties. 



2 Lipton's Theorem 

Before describing our result, we give an informal review of Lipton's work [9]. The 
hypotheses of his main theorem involve commutativity relations between atomic 
actions. We begin by defining these relations, departing somewhat from Lipton's 
original notation. 

Henceforth, we refer to atomic actions simply as actions. Formally, an action a is 
a set of pairs of program states, where (t, u) € a means that executing a in state t 
can produce state u. We say that a is enabled in state t iff (if and only if) there is a 
state u such that (t , u) e a. We write t — — >- u to denote that (t , u) is an element of 
a. For example, a semaphore operation P{sem) is represented by an action a that 
is enabled in state t iff control is at that operation and the value of sem is positive. 
For this action, t — % u holds iff (i) a is enabled in state t and (ii) state u is the 
same as t, except that control is after the semaphore operation and the value of sem 
is one less than its value in t. 
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The program state includes control information, in addition to the values of program 
variables. Thus, two instances of a statement ( x : — x + 1 } in a program are different 
actions because they have different effects on the control components of the state. 

If a and fi are actions, then afi is defined to be the action such that t u iff there 
exists a v such that t v and v — ^> u. An action p right commutes with an 
action a iff t u implies t u, for every pair of states t, u. In other words, 
p right commutes with a means that if it is possible to execute first p then a, then 
it is possible to produce the same state by executing first a then p. Similarly, X left 
commutes with a iff t — >- u implies t — >- u for every pair of states t, u. Thus, p 
right commutes with X iff X left commutes with p. Two actions commute iff each 
one left commutes and right commutes with the other. 

The hypotheses of Lipton's main theorem involve commutativity between actions 
in different processes. An action p in a process is called a right mover iff it right 
commutes with the actions of every other process. An action A. is a left mover iff it 
left commutes with the actions in every other process. 

Lipton observed that, if semaphore operations are represented as atomic actions, 
then P actions are right movers and V actions are left movers. To see that P actions 
are right movers, let p be a P{sem) action, let X be an action in another process, 
and assume that executing p then X from state t can produce state u. There are 
three cases to consider. 

• X does not access the semaphore sem. In this case, p can obviously be 
executed after X to produce the same state u. 

• X is another P{sem) action. Executing the two P{sem) actions in either 
order must produce the same state. 

• X is a V(sem) action. In this case, executing X from state t produces a state 
with sem > 0, so p can then be executed to produce state u. (Note that p 
does not left commute with X because, in a state with sem — 0, it is possible 
to execute a V(sem) followed by a P(sem), but not a P(sem) followed by 
a V(sem).) 

Similar reasoning shows that every V action is a left mover. 

To combine actions, Lipton introduced the notion of reducing a program by a 
statement. Let 5 be a sequence (Si); (5 2 ); - - .; (S k ) of statements in a program 
n. Program II reduced by 5, denoted 11/ 5, is the program obtained from II 
by replacing 5 with the single atomic statement {Su . . . ; Sk). Lipton proved the 
following result. 
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Lipton's Theorem Let I\ be a program and 5 have the form {Si); (5 2 ); . . . ; (S k ), 
where, for some i: 

1. S\, . . ., S,_i are right movers. 

2. S i+ \, . . ., S k are left movers. 

3. From any program state in which execution of S has begun but not termi- 
nated, it is possible, by executing only actions in S, to reach a state in which 
5 has terminated. 

Then, programs II and 11/ S satisfy the same partial correctness and deadlock- 
freedom properties. 

The single-action rule asserts that, if 5 contains at most one access to a shared 
variable, then we can prove a property of program n by proving it for n/5. If 
an action a does not access any variable that is accessed by any other process, 
then a is both a left and a right mover. Letting (5, ) be the single statement in 
5 that accesses a shared variable (or any statement if 5 does not access a shared 
variable), Lipton's Theorem implies the single-action rule for reasoning about 
partial correctness and deadlock freedom — except that the single-action rule does 
not require hypothesis 3. We will show that hypothesis 3 is not needed in Lipton's 
Theorem for partial correctness properties, so the single-action rule is valid for 
partial correctness. 

Partial correctness relates initial and final states, but makes no assertion about states 
in which control is inside 5. Doeppner extended Lipton's result to a more general 
class of safety properties that also assert nothing when control is within 5. A 
precise statement of Doeppner 's result is given below. 

To use Lipton's Theorem (or Doeppner's extension), one usually performs many 
reductions to decrease the number of separate actions in a program. We now 
show that these reductions can all be done at once. Let 5 and 5' be two disjoint 
sequences of statements. We show that if 5 and 5' both satisfy the hypotheses 
of Lipton's Theorem, then (Tl/S)/S', which equals (Tl/S')/S, and n satisfy the 
same partial correctness and deadlock-freedom properties. Since 5 satisfies the 
hypotheses, n/5 and n satisfy the same properties. An action that left or right 
commutes with every action of 5 in program n must left or right commute with 
(5) in program n/5. Therefore, if 5' satisfies the hypotheses of Lipton's Theorem 
in program n, then it also satisfies these hypotheses in n/5. Hence, a second 
application of Lipton's Theorem shows that (n/5)/5' and n satisfy the same 
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partial correctness and deadlock-freedom properties. Generalizing to an arbitrary 
number of reductions is obvious. 

3 A General Reduction Theorem 

We begin by denning the concepts needed to formalize the notion of reduction. 
Then, in Section 3.2, we state a generalization of Lipton's Theorem; its proof is 
in the appendix. We derive Doeppner's result as a corollary, and use it to prove 
Lipton's Theorem. The section closes with an example of the use of our theorem. 

3.1 Definitions 

3.1.1 Programs 

Thus far, we have viewed a program n as a set of states and a set of actions. (Recall 
that an [atomic] action is a set of pairs of states.) However, what matters for safety 
properties is not the set of actions, but the program's next-state relation, which is 
the union of all the program's actions. For example, replacing the single program 
action 

(x := |*| + 1) 

by the pair of actions 

if <x > 0 ^ x := x + 1 } D (x < 0 ^ x := -x + 1 } fi 
yields an equivalent program. 

We therefore formally define a program n to consist of a set of states and a single 
action n, where n is the next-state relation. (The next-state relation, being the 
union of actions, is itself an action.) Observe that, although the specification of a 
program usually describes its possible starting states, we do not include any special 
starting or terminating states in our formal definition — they are irrelevant to our 
results. 

3.1.2 Histories 

A history of n is a finite, nonempty sequence t 0 , . . . , t n of states such that i t t , 
for 0 < i < n . This history represents a partial execution (possibly complete) of 
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n, starting in state t 0 and reaching state t„. Only such finite partial executions need 
be considered when proving safety properties, even of nonterminating programs, 
since a safety property is, by definition, one that is satisfied by an infinite execution 
iff it is satisfied by every finite prefix [1]. 

3.1.3 Commutativity 

Recall that an action p right commutes with an action X (and X left commutes with 
p) iff t u implies t — ^> u for all states t and u. It follows from this definition 
that, if p equals the union of actions p, and X equals the union of actions Xj , then 
p right commutes with X if every p ( right commutes with every Xj . 

If there are no states s, t, and u such that s — h>- t u,soa cannot be executed 
immediately after p, then p right commutes with a. Hence, if p is an action in 
a process of a concurrent program, then p right commutes with every action in 
that process, except the action immediately following it. Hypothesis 1 of Lipton's 
theorem is therefore equivalent to the hypothesis that Si, . . . , S,-_i right commute 
with every program action not in S. Similarly, an action left commutes with every 
action in the same process except the action immediately preceding it. 

For any action a, we define =^> to be the reflexive, transitive closure of . Thus, 
t =^ u iff t — u or there exists a state v such that t — ^> v ==>■ u. In other words, 
t u iff it is possible to go from state t to state u by "executing" action a zero 
or more times. We adopt the usual convention of writing t v u to denote 



3.1.4 Predicates and Safety Properties 

A predicate is a Boolean-valued function on the set of states. The value Q{t) of 
predicate Q on state t is written t \= Q. An action a is defined to leave predicate 
Q invariant iff t |= Q implies u \= Q whenever t — »- u. It follows from this 
definition that, if a equals the union of actions a, , then a leaves Q invariant iff 
every a, does. Note that if t \= Q implies that a cannot be executed in state t, so 
there is no state u such that t u , then a trivially leaves Q invariant. Thus, if 
U is the predicate asserting that a is enabled, then a leaves ->U invariant. 

If Init and Q are predicates, then a program n satisfies the temporal logic formula 
Init =3- OQ iff the following holds: for any history t 0 , . . . , t„ of IT, if t 0 \= Init 
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then ti \= Q, for 0 < i <n. This property is equivalent to 

For all states t and u: if t =5^ u and t \= Init, then u \= Q. 

Properties of the form Init =>■ □ Q are proved with the Owicki-Gries method [10] 
and similar assertional methods [2, 6]. Moreover, by adding auxiliary variables to 
the program, any safety property can be expressed in this form. 

3.1.5 Operations 

The notion of a statement is meaningful only in the context of a programming 
language. To make our results independent of any language, we will define re- 
duction with respect to operations rather than statements. The intuitive view is 
that an operation 5 consists of a collection of related actions from a single process. 
Actions are "related" iff, from the time the first action of 5 is executed until the 
entire operation completes, the process can execute actions only from S. Executing 
the first action of 5 moves control inside 5, and executing the last action moves 
control outside 5. Only actions of S can move control inside or outside of 5. 

Formally, an operation 5 of program n consists of a subset S of the next-state 
relation n together with a predicate £(S) (where £ stands for external), such that 
n — 5 leaves both £ (S) and ->£(S) invariant. Being subsets of n, an action, 5 and 
n — 5 are themselves actions. This formal definition corresponds to the intuitive 
view above, where 5 is the union of the actions constituting 5, and £(S) is the 
predicate asserting that control is outside S. 1 

We now define what it means for an operation to be atomic. We could define A 
to be atomic iff £{A) holds in all states. However, we want n and n/5 to satisfy 
the same properties, so we want them to have the same set of states; this means 
that n/5 may contain states in which £{{S)) is false even though it has (S) as an 
atomic action. Therefore, we adopt the more general definition that an operation 
A of program n is atomic iff £{A) is left invariant by n. Consequently, if A is 
atomic, then control will remain outside A throughout any history that starts in a 
state with control outside A. 

Observe that the concept of a process is not used in our formal definition of an 
operation, and nothing prevents actions of different processes from being part of a 
single operation. For example, a matching pair of communication statements in a 
CSP program can be represented by a single atomic operation [8]. 

'In the notation of [5], £{S) = at(S) v ^in(S). 
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3.1.6 Sequential Composition 

Our reduction theorem involves the sequential composition T; U of operations T 
and U. Composition is usually defined for statements in a programming language. 
A precise definition for sequential composition of operations is complicated. How- 
ever, the composition T; U has the expected meaning if (i) control cannot be inside 
both T and U, and (ii) any execution of T; U consists of a (possibly null) sequence 
of executions of T followed by a (possibly null) sequence of executions of U. For 
example, in the statement 

if b then T; U x 
else U 2 

li 

the then and else clauses together define a single operation T; U, where the oper- 
ation U is defined by U = t/j U U 2 and £ (U) = £ (U x ) A £ (U 2 ). By our definition 
of atomicity, if each [/,■ is atomic, then U is atomic. 

For a general definition of the sequential composition of operations, we must use 
£{T), £(U), T, and U to characterize when operation T; U is defined and, when it 
is defined, what T; U and £{T\ U) are. Such a definition is complicated; the only 
simple part is that when T; U is defined, T; U equals T U U. Therefore, instead 
of giving a formal definition, we just list in the appendix properties of sequential 
composition that we require. 

If T is null, meaning that T is the empty set and £{T) is identically true, then T; U 
equals U. Similarly, if U is null, then T; U equals T. 

3.1.7 Possible Termination 

Hypothesis 3 of Lipton's Theorem asserts that it is possible for S to terminate from 
any state in which control is inside 5. Control being inside 5 means that ->£(S) 
holds. Termination of 5 means reaching a state in which £(S) holds. Thus, Lipton's 
hypothesis 3 asserts that, for every state t, if t \= ->£(S) then there exists a state u 
such that t ^> u and u \= £(S). 
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3.2 The Reduction Theorem and Corollaries 
3.2.1 Reduction 

The purpose of our reduction theorem is to justify pretending that an operation is 
atomic. To define what this pretense means, we first define the operation (5) for 
an arbitrary operation 5 in a program n. This requires defining action (5) and 
predicate £({S}). We define £({S}) to equal £(S). Our definition of (5) should 
assert that t u iff a complete execution of 5 can take state t to state u. A 
"complete execution" is one that starts with control outside 5 and ends as soon as 
control leaves 5. We define (5) to consist of all pairs (t, u) such that t \= £{S), 
u \= £{S), and there exist states t Q , . . . , t n , with 0 < n, such that 

s s s s 
t — to > t\ > . . . > t n _\ > t„ — U 

and ti \= ->£(S) for 0 < i < n. 

For any action a, define t u to mean that there exist states t Q , . . ., t„, with 

s 

0 < n, such that 

t — to t\ —> . . . — > f„_i t„ — u 
and ti \= -<£(S) for 0 < i < n. Then, t u implies t s. If u |= ->£{S), 

s 

then t u and u v imply t v. 

s s s 

To see the relation between the two actions 5 and (5), suppose t \= £(S) and 
u \= £(S). The definition of (5) implies that t ^> u iff t u or t — u. This in 

s 

turn implies that t u iff t u . 

We can now formally define program n/5. We want n/5 to be the program 
obtained by replacing S by an atomic action, so n/5 is defined to have the same 
set of states as n and to have its next-state relation n/5 equal to (n — S) U (5). 
To show that (5) is an atomic operation of n/5, we must show that Tl/S leaves 
£((S}) invariant. By definition of what it means for 5 to be an operation of n, 
action 11 — 5 leaves £(5) invariant. By definition of (5), action (5) leaves £(S) 
invariant. Therefore, (ft — 5) U (5), which equals n/5, leaves invariant £(S), 
which equals £({S}). 

The useful part of the reduction theorem states that, for certain operations 5, if a 
safety property is satisfied by n/5 then it is satisfied by n. The converse, that a 
safety property is satisfied by n/5 if it is satisfied by n, is true for any 5. 
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Lemma 1 If Init =>■ □ Q is satisfied by program Tl then it is satisfied by program 
Tl/S. 

Proof of Lemma 

1. For any states t and u, if t u and t \= Init, then u\= Q. 
Proof: By the hypothesis that n satisfies Init =>• 

2. For any states f and w, if f ^> w then f =5^ u. 

Proof: By definition of reduction, since Yl/S — (S) c n and v u> implies 

s 

V =>• W. 

3. For any states t and w, if f =^ w and ? |= Init then u\= Q. 
Proof: By 1 and 2. 

4. Program Tl/S satisfies Init HQ. 

Proof: By 3 and the definition of what it means for Tl/S to satisfy In it =>■ □ Q. 
End Proof of Lemma 

3.2.2 The Reduction Theorem and a Corollary 

We now state our reduction theorem, which is proved in the appendix, and derive 
a corollary. 

Reduction Theorem Let Tlbe a program, Init and Q be predicates, and S be an 
operation of Tl having the form R; (A); L, where 

0. Init implies £{S). 

1. (a) Action R right commutes with action 11 — 5. 

(b) For all states t andu: ift ^> uandt \= (Qa£(S)) thenu (= (Qv£(S)). 

2. (a) Action L left commutes with action 11 — 5. 

(b) For all states t and u: if t ^> u and t \= (~>Q A ->£{S)) then 

«N(-2v^(5)). 

3. For all states t: ift |= (->Q A £{R\ (A)) A —>£{S)) then there exists a state 
u such that t ^> u and u \= £(S). 2 

2 £(R\ (A)) A ->£(S) asserts that control is either inside L or at its entry point. 
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Then, Init =>• □ Q is satisfied by Tl iff it is satisfied by 11/ S. 

Observe that hypothesis 1(b) holds if R leaves Q invariant, and hypothesis 2(b) 
holds if L leaves —>Q invariant. Thus, both of these hypotheses hold if R and L do 
not change any part of the state on which Q depends. 

The conclusion of our reduction theorem asserts that if Q holds throughout the 
execution of n/5 then it holds throughout the execution of n. Weaker hypotheses 
lead to the weaker conclusion that, in the execution of n, predicate Q holds only 
when control is external to 5, giving a result obtained by Doeppner [4]. 

Corollary (Doeppner) Let Tl be a program and 5 have the form R; (A); L, where 

0. I nit implies £(S). 

1. Action R right commutes with action 11 — 5. 

2. Action L left commutes with action 11 — 5. 

Then, Init □ (£) v ->£(S)) is satisfied by Tl iff Init OQis satisfied byTl/S. 
Proof of Corollary 

1. Init =>• □ (2 v -i^(5)) is satisfied by n iff it is satisfied by n/5. 

Proof: Apply the Reduction Theorem with Q v ->£(S) substituted for Q. 
Hypotheses 0, 1(a), and 2(a) of the theorem follow from hypotheses 0-2 of the 
corollary. Hypothesis 1(b) of the theorem holds trivially because (Q v —>£ (5)) v 
£ (5) is identically true. Hypothesis 2(b) of the theorem holds vacuously because 
~"(Q v "^(S)) A ->£(S) is identically false. Hypothesis 3 also holds vacuously 
because -(2 v -.£(<$)) A £(R; (A)) A -£(5) is identically false. 

2. n/5 satisfies Init =>• □£(£). 

Proof: By hypothesis 0, since n/5 leaves £ (5), which equals £ ((5)), invariant. 

3. n/5 satisfies Init =>n(Qv -■£(£)) iff it satisfies Init =>• nQ. 

Proof: Follows from 2 and the definition of what it means for n/5 to satisfy a 
formula of the form Init =>■ OP. 

End Proof of Corollary 

The corollary provides a correct statement of the single-action rule. The incorrect 
version of the rule asserts that if the reduced program satisfies a property then the 
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original program does. The correct version asserts that if the reduced program 
satisfies a property Init =>• OQ, then the original program satisfies the related 
property Init =>• 0(Q v ->£(S)). Only if ->£(S) implies Q does the original 
program satisfy the same property as the reduced program. 

3.2.3 Deriving Lipton's Theorem 

We now derive Lipton's Theorem from the corollary. Lipton's Theorem concerns 
partial correctness and deadlock freedom properties. We consider each of them 
separately. 

The partial correctness property {Pre}Tl{Post} can be expressed in the form 
In it =>• □ Q by letting In i t be the predicate asserting that control is at the beginning 
of n and Pre holds, and letting Q be Term =>• Post, where Term is the predicate 
asserting that n has terminated — that is, Term asserts that control is at the end of 
the program. Since control at the end of n implies that £ (S) holds, ->£ (S) implies 
2, so Q v ->£(S) is equivalent to Q. Hence, the corollary implies that, under the 
hypotheses of Lipton's Theorem, n satisfies {Pre}Tl{Post} iff n/S does. This 
proves Lipton's Theorem for partial correctness. Moreover, we have strengthened 
this part of Lipton's Theorem by eliminating hypothesis 3. In so doing, we have 
shown that the single-action rule is valid for partial correctness properties. 

We next show that the deadlock-freedom part of Lipton's Theorem follows from 
the corollary. A program is deadlocked iff it has not terminated and no program 
action is enabled. Program n has terminated iff program n /S has. Thus, we need 
show only that an action of n is always enabled iff an action of n/5 is always 
enabled. Let Init be the predicate asserting that control is at the beginning of n 
and let DF n be the predicate asserting that some action of n is enabled. Similarly, 
define DF n / S to assert that some action of n/5 is enabled. The conclusion of 
Lipton's Theorem states, in our notation, that n satisfies Init =>■ ODF n iff Tl/S 
satisfies Init =>• ODF n/s . We use the corollary to show that this conclusion is 
implied by the hypotheses of Lipton's Theorem. 

1. n satisfies Init n(DF n/s v -.£(£)) iff n/5 satisfies Init =>• ODF n/s . 
Proof: Apply the Corollary with DF n/s substituted for Q. 

2. DF n/s v -.£(£) implies DF n . 
2.1. DF n/s implies DF n . 

Proof: By definition of Tl/S, if an action of n /S is enabled then an action 
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of n must be enabled. 
2.2. -"■£(£) implies DF n . 

Proof: By hypothesis 3 of Lipton's Theorem. 

3. DF n implies DF n/s v -<£(S). 

Proof: It suffices to prove that DF n and £ (S) imply DF n / s . For this, it suffices 
to prove that for any state t, if there exists a state u such that t |= £(S) and 
f — % u, then there exists a state u such that t -^4- u. 

Since f — % u, either f -^-4 u or else f u. If f -^-4 u, then we can let v 
equal m. Assume that t —4 w. If w |= ->£(S), then hypothesis 3 of Lipton's 
Theorem implies that there exists a state v such that v \= £ (5) and m ^> u. If 
u \= £(S), then let v equal w. In either case, t ^> u, t \= £(S), and v |= £(S), 

. (SI 

so t — > V. 

4. n satisfies Init =>• DDF n iff n/S satisfies =>• □ DF n/s . 
Proof: By 1, since 2 and 3 imply DF n = DF n/s v -.£(£). 

The single-action rule is not valid for deadlock freedom. For example, let n be the 
single-process program 

( x :- 0 or 1 } ; ( await x — 0 ) 

where the assignment nondeterministically sets x to 0 or 1 , and the await delays 
forever if x = 1 . Since every variable is local, a naive single-action rule would 
assert that this program is equivalent to 

( x :- 0 or 1 ; await x = 0 > 

which, by our definition of (S), is equivalent to 

(x :=0) 

The reduced program is deadlock free, but the original program is not — it deadlocks 
if the assignment statement sets x to 1 . 

One might be able to find an alternate definition of (5) that makes the single-action 
rule valid for deadlock freedom. However, we believe that such a definition would 
be unnatural, and unlikely to be of any practical use. 
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Program O x 

variables 

inp : infinite sequence of value; 

out : sequence of value; 

buf : array [0 ... N — 1] of value; 

x, y : value; 

fpjc : Natural; 

cobegin 

Producer: loop 

D p : (x,inp '■= head(inp), tail(inp) ); 

A p : ( await (fp - fc) <N); 

B p : (buf[fp mod N] :- x ); 

C P : {fp:=fp + l) 
end loop 

D 

Consumer: loop 

A c : { await (fp - fc) > 0); 

B c : (y :- buf[fc mod N] }; 

C c : (/c:=/c+l); 

D c : ( out := out o y ) 
end loop 

coend 

Figure 1 : A simple producer/consumer program. 
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3.3 An Example 

Program O x of Figure 1 is a two-process concurrent program, where head and 
tail are the usual operators on sequences, and o denotes concatenation. Using a 
bounded buffer, a producer process communicates an infinite sequence of values to 
a consumer process. The safety property of interest is that the sequence of values 
out received by the consumer is a prefix of the initial value of the sequence inp. 
This property is formulated as Init =>• □ Q, where 

• Init asserts that buf is empty, inp has some initial value inp init , fp — f c — 

0. and at (D p ) and at(A c ) hold, where at(%) is a predicate that is true iff 
control is at action £. 

• Q asserts that out is an initial prefix of inp init . 

To prove that n l satisfies this property, the Reduction Theorem is applied twice. 
First, Program IT is reduced by A p ; B p ; C p , resulting in a program where the 
producer has only two actions — D p and (A p ; B p ; C p ). Then, that program is 
reduced by A c ; B c ; C c , resulting in a final program having just four atomic actions. 
As we observed at the end of Section 2, these two reductions can be done at once. 
This is because a consumer action left (right) commutes with each of the actions 
A p , B p , and C p iff it left (right) commutes with the single action (A p ; B p ; C p ). 

For the first reduction, the theorem is applied with A p for R, B p for (A), and C p 
for L. We now show that the four hypotheses of the theorem are satisfied. 

Hypothesis 0. Init implies E(A P ; B p ; C p ). 

Proof: This follows from the definition of Init and £, because Init implies 
at (D p ), and at(D p ) implies that control is external to A p \ B p ; C p . 

Hypothesis 1. (a) Action R right commutes with action 11 — 5, where 5 is 
A p ', B p \ C p . 

(b) For all states t and u,ift ^umdt \= (Q a£(S)) thenw |= (Qv£(S)). 

1. A p right commutes with D p . 

Proof: Dp cannot be executed immediately after A p . 

2. A p right commutes with A c , B c , and D c . 

Proof: Actions A p and A c commute because neither modifies any variable 
accessed by the other, and A p commutes with B c and with D c for the same 
reason. 
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3. A p right commutes with C c . 

3.1. If s ^> t and s t', then t = f . 
Proof: From the definitions of A c and C c . 

3.2. If it is possible to execute first A p then C c on a state s, then it is also 
possible to execute first C c then A p on 5. 

Proof: It is possible to execute A p then C c on 5 iff 

s \= at{A p ) A at(C c ) A (fp - fc < N) (3) 

It is possible to execute C c then A p on * iff 

s \= at{A„) A at(C c ) A (fp - (fc + 1) < N) (4) 

Obviously, (3) implies (4). 

3.3. If s t then s — » f 
Proo/: By 3.1 and 3.2. 

4. Hypothesis 1(a) holds. 

Proof: By 1, 2, and 3, since 11 — 5 equals the union of D p , A c , B c , C c , 
and D c . 

5. Hypothesis 1(b) holds. 

Proof: Action A p does not modify any part of the state on which Q 
depends, so it leaves Q invariant. 

Hypothesis 2. (a) Action C p left commutes with action 11 — 5. 

(b) For all states t and u, if t u and t \= (->Q A ->£(5)) then u \= 
(-gv-£(,S)). 

Proof: The proof of this is similar to the proof of hypothesis 1. The key 
step in the proof that C p left commutes with A c is the observation that (i) it 
is possible to execute A c then C p on a state s iff s \= (at(A c ) A at(C p ) A 
(fp — fc > 0)), and (ii) it is possible to execute C p then A c on s iff 
s \= (at(A c ) A at(C p ) A (fp — fc > 0)). Hypothesis 2(b) holds because 
action C p does not change any part of the state on which Q depends, so it 
leaves ->Q invariant. 

Hypothesis 3. For all states t:ift\= (->Q A at(C p )) then C p can terminate from 
t. 

Proof: C p can terminate from any state t for which t \= (at(C p )). 
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The justification of the second reduction is similar to that of the first with p and 
c subscripts interchanged. We must prove that A c left commutes and C c right 
commutes with the four actions A p , B p , C p , and D p . (Recall that this implies that 

they left and right commute with (A p ; B p ; C p ).) Proving the symmetric versions 
of statements 0-3 in the proof of the first reduction allows our theorem to be 
applied to the second reduction. We omit the proofs. (Note that the proofs of the 
commutativity relations between A c and C p , and between C c and A p appeared in 
the proof of the first reduction.) 



4 Constraints 

We can replace the unbounded integer variables fp and fc of Program IT by in- 
tegers modulo 2 N, to obtain producer/consumer program Tl 2 of Figure 2. Program 
n 2 can be viewed as an implementation of O x in which the "left-most bits" of fp 
and fc have been eliminated. We would, therefore, expect to be able to reduce Yl 2 
to a program with only four atomic actions, just as we reduced O x . Unfortunately, 
we cannot. The action pairs A p , C c and A c , C p of Tl 2 do not satisfy the required 
commutativity relations. For example, if t is a state in which fp — fc, then there 

are states u and v such that t — ^> u — ► v, but no state u' such that t u 1 — h>- v 
because — 1 mod 2N equals 2N— 1, which is greater than or equal to N. (Executing 
C c when fp — fc disables A p .) Thus, A p does not right commute with C c . 

Program Tl 2 admits "irreducible" histories — ones that are not equivalent to any of 
the reduced program's histories. However, these irreducible histories are irrelevant 
because they cannot arise when Tl 2 is started in a "proper" initial state. The 
property we want to prove is Init □ Q, which asserts that Q is always true for 
any execution started in a state satisfying the predicate Init, and it turns out that 
there is no irreducible history beginning with a state that satisfies Init. For example, 
histories containing a state in which fp — fc and both A p and C c are enabled, so 
A p does not right commute with C c , are irrelevant because such a state cannot be 
reached when Program Tl 2 is started with Init true. 

We will dispense with these irrelevant histories by modifying Tl 2 to eliminate them. 3 
We constrain the program by a predicate / to eliminate histories in which / becomes 
false [7]. If the original program satisfies Init □ I, then only irrelevant histories 

3 We could define these histories out of existence by including the initial state in the formal 
definition of a program, but this would complicate our definitions without making it any easier to 
actually prove properties of programs. 
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Program U 2 

variables 

inp : infinite sequence of value; 

out : sequence of value; 

buf : array [0 ... N — 1] of value; 

x, y : value; 

fpjc: {0...2AT-1}; 

cobegin 

Producer: loop 

D p : (x,inp '■= head (inp), tail (inp) ); 
A p : (await (fp - fc) mod IN < N); 
B p : (buf[fp mod N] :- x ); 
C P : {fp:=fp + lmod2N) 
end loop 

D 

Consumer: loop 

A c : ( await (fp - fc) mod 2 N > 0 } ; 

B c : (y :- buf[fc mod N] ); 
C c : (fc:=fc + lmod2A0; 
D c : (out :- out o y } 
end loop 

coend 

Figure 2: Another simple producer/consumer program. 
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are eliminated. 



For an action a and a predicate /, define a\j (read a constrained by I) to be the 
action {(s, t) e a : (s \= I) A (t \= I)}. Thus, s t iff s — — ► t and / holds 
in states s and t. For a program n we define n|/ to be the program whose states 
are the states of n that satisfy /, and whose next-state relation is n|/. If 5 is an 
operation of n, then 5|/ is the operation of n|/ such that 5|/ equals 5|/ and £(S\i) 
equals £(S) with its domain restricted to the states of n|/. 

The next-state relation n|/ is enabled only in states satisfying /, and n| 7 can 
produce only states satisfying /. The histories of n|/ consist of the histories of FT 
in which all states satisfy /. This implies that every history of n|/ is a history of 

n. 

Suppose that I nit =>■ □/ holds for a program n. Then, / is true for all states in 
any history of FI beginning in a state with Init true. Therefore, any history of FI 
beginning with Init true is also a history of n|/. If n satisfies Init =>•□/, then 
FI satisfies Init =>• □ Q iff n|/ does. The property Init =>• □/ can be proved by 
ordinary assertional methods. Usually, / is an invariant of n. 

To define the predicate / for Yl 2 , we first define a function ty p on the set of program 
states: 




1 if at (B p ) v at (C p ) 
0 otherwise 



We define ty c similarly, replacing p by c. The predicate / is defined to equal 
* c < (fp ~ fc) mod 2N < N - % 

That / is an invariant of FI can be established in the usual way. It is also easy to 
check that Init implies /. Therefore, to prove that Init □ Q is satisfied by Yl 2 , 
we need to show only that it is satisfied by n 2 |/. 

We can now apply our Reduction Theorem to n 2 | / , reducing it first by A p \ / ; B p \ 7 ; C p \ / 
and then by A c \i\ B c \i\ C c |/. The proof is almost identical to that for IT given 
above. The major difference is in the proof that A p \ / right commutes with C c \ / . As 
in step 3.2 above, we must show that if it is possible to execute A p |/ followed by 
C c |/ from a state t, then it is also possible to execute C c |/ followed by A p |/ from t. 
It is possible to execute A p \ / followed by C c \ / from t iff 

t |= / A at(A p ) A at(C c ) A ((fp - fc) mod 2N < N) (5) 

and it is possible to execute C c \ / followed by A p \ 7 from t iff 

t |= / A at(A p ) A at(C c ) A ((fp - (fc + 1)) mod 2N < N) (6) 
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Since / A at(A p ) A at(C c ) implies that 1 < fp - fc mod 2N < N, it follows that 
(5) implies (6). 

5 Discussion 

We have given a reduction theorem for proving that a safety property of the form 
Init □ Q holds for a program n if it holds for the coarser-grained program 
n/5. In general, a reduction theorem allows one to conclude that n satisfies a 
property V if n/5 satisfies a related property V. It is proved by showing that 
for any history S of n, there is a corresponding history £' of 11/5 such that £ 
satisfies V if £' satisfies V . The history £' is derived from £ by commuting 
actions and completing or eliminating any unfinished execution of 5. Hypotheses 
about commutativity and the possible termination of L make it possible to derive 
Additional hypotheses may be needed to guarantee that if £' satisfies V then 
£ satisfies V. In our reduction theorem, these are hypotheses 1(b) and 2(b). 

A reduction theorem is tailored to a particular class of properties. We chose 
the hypotheses of our reduction theorem to be as weak as possible for properties 
of the form Init □ (2- Lipton considered partial correctness and deadlock- 
freedom properties, and Doeppner considered properties closely related to partial 
correctness. We do not know of a similar reduction theorem for liveness properties. 
We do know that such a theorem would need different hypotheses. For example, 
the hypotheses of Lipton's Theorem are satisfied if 5 equals P(sem); V(sem), in 
which case (5) leaves sem unchanged. Suppose a program n contains a process 
that repeatedly executes 5. Then n/5 might satisfy a progress property that is 
not satisfied by n because the repeated decrementing and incrementing of sem 
prevents some other process from making progress. Thus, the hypotheses of 
Lipton's Theorem are not sufficient for deriving liveness properties. 

Back [3] does give a reduction theorem for total correctness — the conjunction 
of partial correctness (a safety property) and termination (a liveness property). 
However, his hypotheses involve commutativity relations between actions outside 
5, so the theorem is not closely related to either our reduction theorem or Lipton's. 

Appendix: Proof of the Reduction Theorem 

Our proof relies on the following properties of sequential composition and atomic 
operations, where 5 equals T; U. 
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SCI. For any action a, if v =^> w, then there exists a state x such that v x ^=^> w. 

S T U 

[When executing S: first, actions in T or not in S are executed until control exits T; 
then, actions in U or not in S are executed until control exits S.] 

SC2. £(S) implies £{T) A £{U). 

[If control is external to S, then it is external to its components T and U .] 

SC3. ->£(r) A (£/) is identically false. 

[Control cannot be internal to both T and U .] 

SC4. ->£(T) implies that U is not enabled. 

[U cannot be executed when control is internal to T .] 

SC5. If U is an atomic operation and v — w then wj |= £(S). 

[When control exits U, control is external to S; and control exits an atomic action 
when it is executed.] 

Lemma 2 (a) Let a and p be actions such that p right commutes with a — p. For 
states t and u, ift u then there exists a state v such that t ==^> v u. 

(b) Let a and X be actions such that X left commutes with a — X. For states t and 
u, ift u then there exists a state v such that t ^> v =^ u. 

Proof of Lemma 

We prove part (a); the proof of part (b) is similar. The hypothesis asserts that 

t — to t\ . . . t n _\ t„ — u (7) 

for some states t h with 0 < n. If w ^> x, then either w x or w ^4- x. By 
the right-commutativity hypothesis, if w x ^4- y, then there exists x' such 
that w — %■ x' y. Thus, by repeatedly replacing x with —> x' 
we can deduce from (7) the existence of k and of states t[ such that 

t — t Q —> t x —> . . . > t k > . . . 4 t n = u 

This implies t ^> v u , where v — t' k . 
End Proof of Lemma 

Lemma 3 Assume hypotheses 0-3 of the Reduction Theorem and the additional 
hypotheses that, for states t and u: 
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4. t |= 8{S) 

5. u\= S(S) 

6. t ==>■ W 

Proof of Lemma 

We prove by induction on n that, for any states t and u, if there exist states t 0 , . . ., 
t„ such that 

fi fi fi fi 

t — to — >■ t\ — y . . . — >■ i — ^ t n — u \o) 

then f m. The base case n — 0 is trivial, since then f — w and the relation 
is reflexive. 

We now prove the induction step, assuming n > 0. Assume states t Q , . . . , t n 
satisfying (8) exist. The proof that t ^> u is split into two cases, depending upon 
whether or not t t \= £(S) holds for some 0 < i <n. 

1. If ti \= £(S) holds for some 0 < i <n, then t u. 

Proof: Since t =5^ f, and f, =5^ m, the induction hypothesis implies t t t 
and t t ^> u. Thus, f ^> m holds by transitivity of =H^. 

2. If f, |= -.£(5) holds for all 0 < i < n, then f =^ w. 

2.1. Choose a state v such that f " L > v n ~ R ' l % u _ 

R;{A) L 

Proof: State v exists by SCI, since t =5^ w by hypothesis 6, so f =5^ m by 

s 

the antecedent of 2. 

2.2. Choose a state w such that t > w > v > u. 

R {A) L 

Proof: State w exists by 2.1 and SCI. 

2.3. wj > v ov w > v or w — v. 

2.3.1. w \= £((A}) 

Proof: By hypothesis 4 and SC2, t \= £((A)); proof step 2.2 implies 
f =5^ u;; and n leaves £((A)) invariant by definition of atomicity. 

2.3.2. Choose states w; 0 , • • w m , for 0 < m, such that w = Wq <n " L ' >" 
Wi . . . w m ^i - > w m = v and Wj \= ->£((A}) for 0 < j < m. 
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Proof: By 2.2. 

2.3.3. wj \= £({A)) forO < j < m. 

Proof: By 2.3.1 and the definition of atomicity. 

2.3.4. m < 1 

Proof: By 2.3.2 (wj \= -•S((A)) for 0 < j < m) and 2.3.3. 

2.3.5. id >• vor«j >• v or id — u 

Proo/: By 2.3.2 and 2.3.4, since (fi - L) - R = (fl - ?) U (A) . 

2.4. If id — > u then there exist states x and y such that ? =>• x =>• id — >• 

Proof: Step 2.2 and the antecedent imply t id -^V u n ~" : '1> w. The 

existence of x follows from hypothesis 1(a) and part (a) of Lemma 2, and 
the existence of y follows from hypothesis 2(a) and part (b) of Lemma 2, 
since ((fl — L) — (A) ) - R and (ft - pT(A7) - £ both equal n - 5 . 

2.5. If id -^-4 v or id = v then there exist states x and y such that f =^ x =^ 

l n-s 

Proof: Step 2.2 and the antecedent imply t > w > v > u. 
This implies t ' "'"'';> ' v n ~"'' { % u , since n — 5 C (n — L) — (A). The 
existence of x follows from hypothesis 1(a) and part (a) of Lemma 2, and 
the existence of y follows from hypothesis 2(a) and part (b) of Lemma 2, 
since ((fl — L) — (A)) - R and (fl - R^A)) - L both equal fl - 5 . 
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2.6. Choose x and y such that t =^=>- x ==> if -^V f y =4- w or 

Proof: By 2.3, 2.4, and 2.5. 

2.7. / — > x and y — > u. 

Proof: By 2.6, since (fl - 5) c n/5. 

2.8. x =§► y 

2.8.1. x |= 5(5) 

Proof: By hypothesis 4 and 2.6, since every action of n — 5 leaves 
5(5) invariant. 

2.8.2. y |= 5(5) 

Proof: By hypothesis 5 and 2.6, since every action of n — 5 leaves 
-■5(5) invariant. 

2.8.3. x =^ y 

Proof: By 2.6 (which implies x =^ y), 2.8.1, and 2.8.2, and the 
definition of (5). 

2.9. t ^ u 

Proo/: By 2.6, 2.7, and 2.8, since (5) C nyS. 
3. f ==>. « 

Proof: By 1 and 2. 
End Proof of Lemma 

Lemma 4 Assume hypotheses 0-3 of the Reduction Theorem, and the additional 
hypotheses that, for states t and u: 

4. n/5 satisfies I nit □ g 

5. f |= Init 

, n 

6. ? =>• M 

7. u |= 5(5) 
Then u \= Q. 
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Proof of Lemma 

1. t \= S(S) 

Proof: t \= Init by hypothesis 5, and Init =>• £{S) by hypothesis 0 of the 
Reduction Theorem. 

2. t ==>■ u 

Proof: By hypotheses 6 and 7, and Lemma 3. 

3. u \= Q 

Proof: By 1, 2, and hypothesis 4. 
End Proof of Lemma 

Proof of Theorem 

The "only if" part follows from Lemma 1. To prove the "if" part, it suffices to 
assume, for states t and u : 

4. n/5 satisfies Init UQ 

5. t \= Init 

, fi 

0. t ^=£> u 
and show that u \= Q. 

The proof considers separately the cases u \= £(S) and u \= ->£{S). The second 
case is further split into the cases u \= £{R\ (A)) and u \= ->£(R; (A)), yielding a 
total of three separate cases. 

1. If u |= £(S) thenw |= Q. 
Proof: By Lemma 4. 

2. If u \= (£(R; (A)) A ->S(S)) then u |= 

Proof: The proof is by contradiction. We assume that u \= ->Q. 

2.1. Choose a state v such that u ^> v and v |= ^(5). 

Proof: State v exists by the assumption that u \= ->Q, the antecedent of 2, 
and hypothesis 3. 

2.2. t =>• u 

Proof: By 2.1 and assumption 6, which asserts that ? ^> u. 
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2.3. v \= Q 

Proof: By 2.2 and Lemma 4, since v \= £ (S) by 2.1. (Substitute v for u in 
the lemma.) 

2.4. u |= (-.gA-.£(S)) 

Proof: By the assumption that u \= ->Q and the antecedent of 2. 

2.5. v N 

Proof: By 2.1, 2.4, and hypothesis 2(b), substituting m for f and v for m. 

2.6. Contradiction. 

Proof: 2.3, 2.5, and 2.1 (v \= £(S)). 
3. If u |= (-£(#; (A)) A -.£(5)) then u |= g. 

3.1. f |= £(5) 

Proof: By hypotheses 5 and 0. 

3.2. Choose state v such that t u =5^ u and v |= £(5). 

s 

Proof: Hypothesis 6 asserts the existence of states f, such that t — t 0 — 
^ — % . . . — % t k — u. Let v be the last t t such that t t \= £(S). By 3.1, t t 
exists. 

3.3. Choose state id such that v > w > u. 

R;{A) L 

Proof: By SCI, since 3.2 asserts that v =^ u, and 5 equals 
(R; (5)); L. 

3.4. If id ^ u then w u and id |= -■£(/?; (A)). 

_ A t n-«T{A) 

3.4.1. Choose states w 0 , w n such that w — w 0 > 

u»i . . . id„_i - *' M > w n —u and id 7 - |= -<£{L) for 0 < j < n. 

Proof: The states u>y exist by 3.3, which asserts that id n ~* ; '1> w. 

3.4.2. u |= -£(7?; (A)) 
Proof: Antecedent of 3. 

3.4.3. iDj |= -£(7?; (A)) for 0 < j < n 

Proof: For j — n, this follows from 3.4.2 (since w n = u). For 
j < n, it follows by induction since 11 — 7?; (A) leaves £(R; (A)) 
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invariant. 
3.4.4. 0 < n < 1 

Proof: By 3.4.1 ( Wj \= -~>E{L) for 0 < j < n). By 3.4.3, Wj \= 
false for 0 < j < n, since ->£(L) A ->£(R; (A)) = false by SC3. 



Proof: By 3.4.1 and 3.4.4, since w ^ u (the antecedent of 3.4) 
implies n ^ 0. 

3.4.6. if - % w 

Proof: By 3.4.3, wj |= -£(P; (A)). By SC4, this implies L is 
not enabled in state w. Since S — R; (A) U L, 3.4.5 then implies 

n-s 
W > U. 

3.4.1. Proof statement 3.4 holds. 

Proof: By 3.4.3 and 3.4.6, since w — u> 0 . 

3.5. v ;> m 

R;{A) 

Proof: By 3.3, which asserts v " L > w, and 3.4, since n — 5 c n — L 

3.6. Choose state x such that v x = ;> w. 
Proo/: From 3.5 by SCI. 

3.7. If x ^ m then x - % m. 

3.7.1. f ^»x 

Proo/: By 3.2 and 3.6. 

3.7.2. x |= £((A» 

Proof: 3.1 and SC2 imply t \= £({A)), and 3.7.1 and the definition 
of atomicity then imply x |= £((A)). 

3.7.3. x ► m 

Proof: By 3.6, there exist states x 0 , . . . , x p such that x — x 0 <n ~ L> > 

Xi . . .x p _i ( "~ L> > x^ — w and x,- |= --£((A)) for 0 < j < p. By 
3.7.2 and the definition of atomicity, x, |= £((A)) for 0 < j < p. 
Hence, p < 1, and since x ^ u (by the antecedent of 3.7), p — 1. 
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Proof: Since u \= —>£{R\ (A)) (by the antecedent of 3), SC5 implies 

that if x — h>- u, then a 2 (A). Hence, 3.7.3 implies x - % w, since 
((fl - L) - R) - (A) equals ft - ?. 



Proo/: 3.6 and 3.7 imply u < ^^ ) m, and (U - 5) U = (U - L) - (A). 
3.9. Choose state y such that v y ==>• u. 
Proof: By 3.8 and Lemma 2. 

3.10. y |= £(S) 

Proof: From 3.9, since v \= £(S) by 3.2, and 11 — 5 leaves £ (S) invariant. 

3.11. y h<2 

Proof: Since t =5^ v by 3.2 and v =>■ y by 3.9, we have t =5^ y. Also, 
y |= 5 (S) by 3.10. Hence, Lemma 4, substituting y for w, implies y \= Q. 

3.12. u |= Q 

Proof: By 3.9, 3.10, and 3.11, substituting y for t in hypothesis 1(b) implies 
u \= (Q v £(£)). The antecedent of 3 asserts that u \= —>£{S). 

4.u\=Q 

Proof: By 1,2, and 3. 

End Proof of Theorem 
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